Fs: Btrfs - Fix possible ERR_PTR() dereferencing.

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Fs: Btrfs - Fix possible ERR_PTR() dereferencing.
@ 2016-09-20  6:48 Shailendra Verma
  2016-09-20 13:00 ` Jeff Mahoney
  0 siblings, 1 reply; 2+ messages in thread
From: Shailendra Verma @ 2016-09-20  6:48 UTC (permalink / raw)
  To: Chris Mason, Josef Bacik, David Sterba, linux-btrfs,
	Shailendra Verma, Ravikant Sharma
  Cc: linux-kernel, vidushi.koul

This is of course wrong to call kfree() if memdup_user() fails,
no memory was allocated and the error in the error-valued pointer
should be returned.

Reviewed-by: Ravikant Sharma <ravikant.s2@samsung.com>
Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
---
 fs/btrfs/ioctl.c | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index da94138..58a40f8 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4512,11 +4512,8 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_root *root,
 		return -EPERM;
 
 	loi = memdup_user(arg, sizeof(*loi));
-	if (IS_ERR(loi)) {
-		ret = PTR_ERR(loi);
-		loi = NULL;
-		goto out;
-	}
+	if (IS_ERR(loi))
+		return PTR_ERR(loi);
 
 	path = btrfs_alloc_path();
 	if (!path) {
@@ -5143,11 +5140,8 @@ static long btrfs_ioctl_set_received_subvol_32(struct file *file,
 	int ret = 0;
 
 	args32 = memdup_user(arg, sizeof(*args32));
-	if (IS_ERR(args32)) {
-		ret = PTR_ERR(args32);
-		args32 = NULL;
-		goto out;
-	}
+	if (IS_ERR(args32))
+		return PTR_ERR(args32);
 
 	args64 = kmalloc(sizeof(*args64), GFP_NOFS);
 	if (!args64) {
@@ -5195,11 +5189,8 @@ static long btrfs_ioctl_set_received_subvol(struct file *file,
 	int ret = 0;
 
 	sa = memdup_user(arg, sizeof(*sa));
-	if (IS_ERR(sa)) {
-		ret = PTR_ERR(sa);
-		sa = NULL;
-		goto out;
-	}
+	if (IS_ERR(sa))
+		return PTR_ERR(sa);
 
 	ret = _btrfs_ioctl_set_received_subvol(file, sa);
 
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: Fs: Btrfs - Fix possible ERR_PTR() dereferencing.
  2016-09-20  6:48 Fs: Btrfs - Fix possible ERR_PTR() dereferencing Shailendra Verma
@ 2016-09-20 13:00 ` Jeff Mahoney
  0 siblings, 0 replies; 2+ messages in thread
From: Jeff Mahoney @ 2016-09-20 13:00 UTC (permalink / raw)
  To: Shailendra Verma, Chris Mason, Josef Bacik, David Sterba,
	linux-btrfs, Ravikant Sharma
  Cc: linux-kernel, vidushi.koul


[-- Attachment #1.1: Type: text/plain, Size: 2414 bytes --]

On 9/20/16 2:48 AM, Shailendra Verma wrote:
> This is of course wrong to call kfree() if memdup_user() fails,
> no memory was allocated and the error in the error-valued pointer
> should be returned.
> 
> Reviewed-by: Ravikant Sharma <ravikant.s2@samsung.com>
> Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>

Hi Shailendra -

In all three cases, the return value is set using the error-valued
pointer and the pointer is set to NULL.  kfree() checks to see if the
pointer is NULL and, if so, does nothing.  This allows us to use a
common exit path which is an extremely common pattern in the kernel.  So
there's never any possible ERR_PTR dereferencing happening.

However, in all three cases, the allocation you're checking is the first
in each routine and there's no additional cleanup to do.  So your patch
is an improvement, but it's an improvement in code readability instead
of a bug fix.  I'd ask that you re-submit with a commit message that
reflects that.

Thanks,

-Jeff

> ---
>  fs/btrfs/ioctl.c | 21 ++++++---------------
>  1 file changed, 6 insertions(+), 15 deletions(-)
> 
> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
> index da94138..58a40f8 100644
> --- a/fs/btrfs/ioctl.c
> +++ b/fs/btrfs/ioctl.c
> @@ -4512,11 +4512,8 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_root *root,
>  		return -EPERM;
>  
>  	loi = memdup_user(arg, sizeof(*loi));
> -	if (IS_ERR(loi)) {
> -		ret = PTR_ERR(loi);
> -		loi = NULL;
> -		goto out;
> -	}
> +	if (IS_ERR(loi))
> +		return PTR_ERR(loi);
>  
>  	path = btrfs_alloc_path();
>  	if (!path) {


> @@ -5143,11 +5140,8 @@ static long btrfs_ioctl_set_received_subvol_32(struct file *file,
>  	int ret = 0;
>  
>  	args32 = memdup_user(arg, sizeof(*args32));
> -	if (IS_ERR(args32)) {
> -		ret = PTR_ERR(args32);
> -		args32 = NULL;
> -		goto out;
> -	}
> +	if (IS_ERR(args32))
> +		return PTR_ERR(args32);
>  
>  	args64 = kmalloc(sizeof(*args64), GFP_NOFS);
>  	if (!args64) {
> @@ -5195,11 +5189,8 @@ static long btrfs_ioctl_set_received_subvol(struct file *file,
>  	int ret = 0;
>  
>  	sa = memdup_user(arg, sizeof(*sa));
> -	if (IS_ERR(sa)) {
> -		ret = PTR_ERR(sa);
> -		sa = NULL;
> -		goto out;
> -	}
> +	if (IS_ERR(sa))
> +		return PTR_ERR(sa);
>  
>  	ret = _btrfs_ioctl_set_received_subvol(file, sa);
>  
> 


-- 
Jeff Mahoney
SUSE Labs


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 881 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-09-20 13:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-20  6:48 Fs: Btrfs - Fix possible ERR_PTR() dereferencing Shailendra Verma
2016-09-20 13:00 ` Jeff Mahoney

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).